Apache-2.2
SLES 上的 Apache 僅以帶有 -D SSL 參數的 https 開頭
幾天來,我一直在破解這台伺服器,試圖將新安裝的 apache 轉換為 HTTPS,併計劃在 SSL 正常執行後將其轉換為 NSS。該伺服器不是面向 Internet 的,並且嚴格用於我們的內部網路,因此使用了自簽名證書。我相信這很簡單,更有經驗的人會很快發現。
its:/etc/apache2 # httpd -v Server version: Apache/2.4.23 (Linux/SUSE) Server built: 2018-04-04 10:24:21.000000000 +0000
這是在啟用 SSL 的情況下啟動伺服器的命令:
its:~ # apache2ctl -D SSL -k start
您可以從下面的命令中看到 httpd 正在監聽 80 和 443:
its:~ # netstat -anp | grep -i listen |head -10 tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 12704/postgres tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1587/master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1461/sshd tcp 0 0 ::1:5432 :::* LISTEN 12704/postgres tcp 0 0 ::1:25 :::* LISTEN 1587/master tcp 0 0 :::443 :::* LISTEN 17086/httpd-prefork tcp 0 0 :::80 :::* LISTEN 17086/httpd-prefork tcp 0 0 :::22 :::* LISTEN 1461/sshd unix 2 [ ACC ] STREAM LISTENING 20198 3246/gnome-session- @/tmp/.ICE-unix/3246 unix 2 [ ACC ] STREAM LISTENING 26729 10664/2 /tmp/ssh-QVZiT6g6BZ/agent.10664
這是執行上述命令時 apache 錯誤日誌中顯示的內容:
[Tue Jun 19 18:09:06.548624 2018] [mpm_prefork:notice] [pid 17086] AH00163: Apache/2.4.23 (Linux/SUSE) OpenSSL/1.0.2j-fips PHP/7.0.7 configured -- resuming normal operations [Tue Jun 19 18:09:06.548653 2018] [core:notice] [pid 17086] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -D SSL'
現在嘗試正常啟動伺服器時(沒有 -D SSL 選項):
its:~ # apache2ctl start its:/etc/apache2 # netstat -anp | grep -i listen |head -10 tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 12704/postgres tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1587/master tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1461/sshd tcp 0 0 ::1:5432 :::* LISTEN 12704/postgres tcp 0 0 ::1:25 :::* LISTEN 1587/master tcp 0 0 :::80 :::* LISTEN 22448/httpd-prefork tcp 0 0 :::22 :::* LISTEN 1461/sshd unix 2 [ ACC ] STREAM LISTENING 20198 3246/gnome-session- @/tmp/.ICE-unix/3246 unix 2 [ ACC ] STREAM LISTENING 26729 10664/2 /tmp/ssh-QVZiT6g6BZ/agent.10664 unix 2 [ ACC ] STREAM LISTENING 20051 1911/gdm-simple-sla @/tmp/dbus-UIT8sEpY
並在 apache 錯誤日誌中:
[Wed Jun 20 09:00:59.337270 2018] [ssl:warn] [pid 22448] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Wed Jun 20 09:00:59.342902 2018] [mpm_prefork:notice] [pid 22448] AH00163: Apache/2.4.23 (Linux/SUSE) OpenSSL/1.0.2j-fips PHP/7.0.7 configured -- resuming normal operations [Wed Jun 20 09:00:59.342982 2018] [core:notice] [pid 22448] AH00094: Command line: '/usr/sbin/httpd-prefork -D SYSCONFIG -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf'
我確實
ssl:warn
在上面的第二個展示中註意到了,所以這裡是研究:its:/etc/apache2 # cat httpd.conf |grep ssl-global.conf |grep -v \# Include /etc/apache2/ssl-global.conf its:/etc/apache2 # cat ssl-global.conf|grep SSLSessionCache |grep -v \# SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000) SSLSessionCacheTimeout 300
httpd.conf:
its:/etc/apache2 # cat httpd.conf |grep -v ^\# |grep -v ^$ Include /etc/apache2/uid.conf Include /etc/apache2/server-tuning.conf ErrorLog /var/log/apache2/error_log <IfDefine !SYSCONFIG> Include /etc/apache2/loadmodule.conf </IfDefine> Include /etc/apache2/listen.conf Include /etc/apache2/mod_log_config.conf <IfDefine !SYSCONFIG> Include /etc/apache2/global.conf </IfDefine> Include /etc/apache2/mod_status.conf Include /etc/apache2/mod_info.conf Include /etc/apache2/mod_reqtimeout.conf Include /etc/apache2/mod_cgid-timeout.conf Include /etc/apache2/mod_usertrack.conf Include /etc/apache2/mod_autoindex-defaults.conf TypesConfig /etc/apache2/mime.types Include /etc/apache2/mod_mime-defaults.conf Include /etc/apache2/errors.conf Include /etc/apache2/ssl-global.conf <Directory /> Options None AllowOverride None <IfModule !mod_access_compat.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order deny,allow Deny from all </IfModule> </Directory> AccessFileName .htaccess <Files ~ "^\.ht"> <IfModule !mod_access_compat.c> Require all denied </IfModule> <IfModule mod_access_compat.c> Order allow,deny Deny from all </IfModule> </Files> DirectoryIndex index.html index.html.var Include /etc/apache2/default-server.conf IncludeOptional /etc/apache2/vhosts.d/*.conf ServerName 192.168.25.53 AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps
最後是我的虛擬主機文件:
its:/etc/apache2 # cat vhosts.d/*conf |grep -v \# |grep -v ^$ ServerTokens Prod TraceEnable off LogLevel notice <IfDefine SSL> <IfDefine !NOSSL> <VirtualHost _default_:443> DocumentRoot /srv/www/htdocs/mantis ServerName 192.168.25.53 ServerAlias 192.168.25.53 ServerAdmin webadmin@sample.com ErrorLog "|| /usr/sbin/rotatelogs2 /var/log/apache2/error_log_ssl.%Y%m%d 100M" TransferLog "|| /usr/sbin/rotatelogs2 /var/log/apache2/access_log_ssl.%Y%m%d 100M" CustomLog "|| /usr/sbin/rotatelogs2 /var/log/apache2/ssl_request_log.%Y%m%d 100M" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" CustomLog "|| /usr/sbin/rotatelogs2 /var/log/apache2/ssl_referer_log.%Y%m%d 100M" "%t %h %{Referer}i -> %U" <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] </IfModule> SSLEngine on SSLCertificateFile /etc/apache2/ssl/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/apache.key SSLCertificateChainFile /etc/apache2/ssl/apache.crt SSLCACertificatePath /etc/apache2/ssl <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 <Directory "/srv/www/htdocs/mantis"> Require all granted Order allow,deny Allow from all </Directory> </VirtualHost> </IfDefine> </IfDefine>
如果我應該包含任何其他 conf 或日誌文件以更好地解決這個問題,請寫在下面的評論中。我對可能超出此問題範圍的任何建議或最佳實踐方法持開放態度,但請將其限制在評論範圍內。
顯然在 SuSE 中,您需要將此行放在 /etc/sysconfig/apache2 文件中:
APACHE_SERVER_FLAGS="-D SSL"
您可以看到您的配置文件包含一個
IfDefine
,所以它是故意這樣做的。